diff mbox series

classes-recipe/sbom-cve-check: fix sstate cache mismatch in sbom path

Message ID 20260701100045.3903557-1-anna-lena.marx@inovex.de
State New
Headers show
Series classes-recipe/sbom-cve-check: fix sstate cache mismatch in sbom path | expand

Commit Message

Anna-Lena Marx July 1, 2026, 10 a.m. UTC
Using ${IMAGE_NAME} to construct the sbom_path causes the do_sbom_cve_check
task to fail in subsequent builds when the image generation is restored from
the sstate cache.
${IMAGE_NAME} utilizes the DATETIME variable via ${IMAGE_VERSION_SUFFIX},
which is re-evaluated during the current execution.
This results in a timestamp mismatch with the actually deployed cached
SPDX artifact.

Switching the path construction to use ${IMAGE_LINK_NAME} ensures the task
reliably targets the stable symlink in the deploy directory,
restoring cache determinism and preventing "No such file or directory"
errors on rebuilds.

Signed-off-by: Anna-Lena Marx <anna-lena.marx@inovex.de>
---
 meta/classes-recipe/sbom-cve-check.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Yoann Congal July 1, 2026, 10:31 a.m. UTC | #1
Le mer. 1 juil. 2026 à 12:00, Anna-Lena Marx via lists.openembedded.org
<anna-lena.marx=inovex.de@lists.openembedded.org> a écrit :

> Using ${IMAGE_NAME} to construct the sbom_path causes the do_sbom_cve_check
> task to fail in subsequent builds when the image generation is restored
> from
> the sstate cache.
> ${IMAGE_NAME} utilizes the DATETIME variable via ${IMAGE_VERSION_SUFFIX},
> which is re-evaluated during the current execution.
> This results in a timestamp mismatch with the actually deployed cached
> SPDX artifact.
>
> Switching the path construction to use ${IMAGE_LINK_NAME} ensures the task
> reliably targets the stable symlink in the deploy directory,
> restoring cache determinism and preventing "No such file or directory"
> errors on rebuilds.
>
> Signed-off-by: Anna-Lena Marx <anna-lena.marx@inovex.de>
> ---
>

Ping Ryan, isn't what you worked on as well?
That patch from Anna-Lena looks like a fix for the regression created by
[0] you talked about.

Anna-Lena, do you think your fix is linked to [0]?

[0]:
https://git.openembedded.org/openembedded-core/commit/?id=b9f060ea6d54cc419df9ff5f8822a3536934606f



>  meta/classes-recipe/sbom-cve-check.bbclass | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/meta/classes-recipe/sbom-cve-check.bbclass
> b/meta/classes-recipe/sbom-cve-check.bbclass
> index 451595f1d7..fe145a2212 100644
> --- a/meta/classes-recipe/sbom-cve-check.bbclass
> +++ b/meta/classes-recipe/sbom-cve-check.bbclass
> @@ -14,7 +14,7 @@ python do_sbom_cve_check() {
>      """
>      Task: Run sbom-cve-check analysis on SBOM.
>      """
> -    sbom_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.spdx.json")
> +    sbom_path =
> d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.spdx.json")
>      image_name = d.getVar("IMAGE_NAME")
>      link_name = d.getVar("IMAGE_LINK_NAME")
>      run_sbom_cve_check(d, sbom_path, image_name, link_name)
> --
> 2.55.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#239959):
> https://lists.openembedded.org/g/openembedded-core/message/239959
> Mute This Topic: https://lists.openembedded.org/mt/120061528/4316185
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> yoann.congal@smile.fr]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
Marko, Peter July 1, 2026, 10:40 a.m. UTC | #2
This patch does not look correct as it basically reverts previous patch, returning to broken builds with empty image link name.

There is I think a better patch for this on the mailing list - https://lists.openembedded.org/g/openembedded-core/message/239739

The main problem is that spdx tasks create sstate objects for images.
Image tasks are not supposed to do that.
I think I’ll send a patch for that some day.

Peter

From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Yoann Congal via lists.openembedded.org
Sent: Wednesday, July 1, 2026 12:31 PM
To: anna-lena.marx@inovex.de
Cc: openembedded-core@lists.openembedded.org; Ryan Eatmon <reatmon@ti.com>
Subject: Re: [OE-core] [PATCH] classes-recipe/sbom-cve-check: fix sstate cache mismatch in sbom path



Le mer. 1 juil. 2026 à 12:00, Anna-Lena Marx via lists.openembedded.org<http://lists.openembedded.org> <anna-lena.marx=inovex.de@lists.openembedded.org<mailto:inovex.de@lists.openembedded.org>> a écrit :
Using ${IMAGE_NAME} to construct the sbom_path causes the do_sbom_cve_check
task to fail in subsequent builds when the image generation is restored from
the sstate cache.
${IMAGE_NAME} utilizes the DATETIME variable via ${IMAGE_VERSION_SUFFIX},
which is re-evaluated during the current execution.
This results in a timestamp mismatch with the actually deployed cached
SPDX artifact.

Switching the path construction to use ${IMAGE_LINK_NAME} ensures the task
reliably targets the stable symlink in the deploy directory,
restoring cache determinism and preventing "No such file or directory"
errors on rebuilds.

Signed-off-by: Anna-Lena Marx <anna-lena.marx@inovex.de<mailto:anna-lena.marx@inovex.de>>
---

Ping Ryan, isn't what you worked on as well?
That patch from Anna-Lena looks like a fix for the regression created by [0] you talked about.

Anna-Lena, do you think your fix is linked to [0]?

[0]: https://git.openembedded.org/openembedded-core/commit/?id=b9f060ea6d54cc419df9ff5f8822a3536934606f

 meta/classes-recipe/sbom-cve-check.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes-recipe/sbom-cve-check.bbclass b/meta/classes-recipe/sbom-cve-check.bbclass
index 451595f1d7..fe145a2212 100644
--- a/meta/classes-recipe/sbom-cve-check.bbclass
+++ b/meta/classes-recipe/sbom-cve-check.bbclass
@@ -14,7 +14,7 @@ python do_sbom_cve_check() {
     """
     Task: Run sbom-cve-check analysis on SBOM.
     """
-    sbom_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.spdx.json")
+    sbom_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.spdx.json")
     image_name = d.getVar("IMAGE_NAME")
     link_name = d.getVar("IMAGE_LINK_NAME")
     run_sbom_cve_check(d, sbom_path, image_name, link_name)
--
2.55.0





--
Yoann Congal
Smile ECS
diff mbox series

Patch

diff --git a/meta/classes-recipe/sbom-cve-check.bbclass b/meta/classes-recipe/sbom-cve-check.bbclass
index 451595f1d7..fe145a2212 100644
--- a/meta/classes-recipe/sbom-cve-check.bbclass
+++ b/meta/classes-recipe/sbom-cve-check.bbclass
@@ -14,7 +14,7 @@  python do_sbom_cve_check() {
     """
     Task: Run sbom-cve-check analysis on SBOM.
     """
-    sbom_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.spdx.json")
+    sbom_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.spdx.json")
     image_name = d.getVar("IMAGE_NAME")
     link_name = d.getVar("IMAGE_LINK_NAME")
     run_sbom_cve_check(d, sbom_path, image_name, link_name)